<html>
<body>
Reports calls to <code>java.sql.Statement.execute()</code> or any
of its variants which take a dynamically-constructed string as the query to execute.
<p>Constructed SQL statements are a common source of security breaches.
  By default, this inspection ignores compile-time constants.</p>
<p><b>Example:</b></p>
<pre><code>
  ResultSet execute(Statement statement, String name) throws SQLException {
    return statement.executeQuery("select * from " + name); // reports warning
  }
</code></pre>
<!-- tooltip end -->
<p>
Use the inspection options to consider any <code>static</code> <code>final</code> fields as constant.
Be careful, because strings like the following will be ignored when the option is enabled:
<pre><code>
  private static final String SQL = "SELECT * FROM user WHERE name='" + getUserInput() + "'";
</code></pre>
<p>
</body>
</html>